def scanner(ip_address):
ip_address = ip_address.strip()
print "INFO: Running general TCP/UDP nmap scans for " + ip_address
serv_dict = {}
recon.checkpath("./results/nmap")
tcpscan = "nmap -vv -Pn -A -sC -sS --top-ports 1000 --min-rtt-timeout 50ms --max-rtt-timeout 60ms --initial-rtt-timeout 100ms --scan-delay 0 --min-rate 450 --max-rate 15000 --max-retries 3 -PE -PS21-23,25,53,80,110-111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67-69,123,135,137-139,161-162,445,500,514,520,631,1434,1900,4500,49152 --defeat-rst-ratelimit --open --privileged --stats-every 10s -oN './results/nmap/%s.nmap' -oX './results/nmap/%s_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address)
udpscan = "nmap -vv -Pn -sC -sU -T 4 --top-ports 200 -oN './results/nmap/%sU.nmap' -oX './results/nmap/%sU_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address)
tcpresults = subprocess.check_output(tcpscan, shell=True)
udpresults = subprocess.check_output(udpscan, shell=True)
results = tcpresults
lines = results.split("\n")
#the forloop below parses the nmap results and looks for open service on which it knows to act.
for line in lines:
ports = []
line = line.strip()
if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
while " " in line:
line = line.replace(" ", " ")
linesplit = line.split(" ")
service = linesplit[2] # grab the service name
port = line.split(" ")[0] # grab the port/proto
if service in serv_dict:
ports = serv_dict[service] # if the service is already in the dict, grab the port list
ports.append(port)
serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
# go through the service dictionary to call additional targeted enumeration functions
for serv in serv_dict:
ports = serv_dict[serv]
if serv == "http" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.httpEnum, ip_address, port)
elif serv == "ssl/http" or "https" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.httpEnum, ip_address, port)
elif "ssh" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.sshEnum, ip_address, port)
elif "smtp" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.smtpEnum, ip_address, port)
elif "snmp" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.snmpEnum, ip_address, port)
elif "domain" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.dnsEnum, ip_address, port)
elif "ftp" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.ftpEnum, ip_address, port)
elif "microsoft-ds" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.smbEnum, ip_address, port)
elif "ms-sql" in serv:
for port in ports:
port = port.split("/")[0]
recon.multProc(recon.httpEnum, ip_address, port)
print "INFO: TCP/UDP Nmap scans completed for " + ip_address
return
#!/usr/bin/python
import subprocess
import sys
import os
import recon
if len(sys.argv) != 2:
print "Usage: smbrecon.py <ip address>"
sys.exit(0)
ip = sys.argv[1]
recon.checkpath("./results/" + ip)
try:
print "\033[1;37m[-] ----------------------------------------------------------------------------- \033[1;m"
print('\033[1;37m[-] | Starting SMB script scan for {0}\033[1;m'.format(ip))
print "\033[1;37m[-] ----------------------------------------------------------------------------- \033[1;m"
VULNSCAN = "nmap -sV -Pn -vv -p445,139 --script=smb-vuln* --script-args=unsafe=1 -oN './results/{0}/{0}_smb.nmap' {0}".format(ip)
scanresults = subprocess.check_output(VULNSCAN, shell=True)
recon.logparsertxt(scanresults)
NBTSCAN = "./Modules/samrdump.py %s" % (ip)
nbtresults = subprocess.check_output(NBTSCAN, shell=True)
if ("Connection refused" not in nbtresults) and ("Connect error" not in nbtresults) and ("Connection reset" not in nbtresults):
print('\033[1;33m[+] \033[1;33mSAMRDUMP has connected to {0} if there are results displaying them below\033[1;m'.format(ip))
lines = nbtresults.split("\n")
for line in lines:
if ("Found" in line) or (" . " in line):
print '\033[1;32m[+] ' + line + '\033[1;m'
E4L = "enum4linux {0}".format(ip)
print "\033[1;37m[-] ----------------------------------------------------------------------------- \033[1;m"
print('\033[1;37m[-] | Starting ENUM4LINUX for {0}\033[1;m'.format(ip))
recon.multProc(recon.httpEnum, ip_address, port)
print "INFO: TCP/UDP Nmap scans completed for " + ip_address
return
# grab the discover scan results and start scanning up hosts
print "////////////////////////////////////////////////////////////"
print "/// Enumeration script ///"
print "/// -- ///"
print "/// ///"
print "/// 0x90:N0_Operation ///"
print "////////////////////////////////////////////////////////////"
if __name__ == '__main__':
try:
recon.checkpath("./results/")
f = open('./ips', 'r') # CHANGE THIS!! grab the alive hosts from the discovery scan for enum
for scanip in f:
jobs = []
p = multiprocessing.Process(target=scanner, args=(scanip,))
jobs.append(p)
p.start()
f.close()
except:
print "[INFO] No 'ips' file found going for manual ip input"
ip_start = raw_input("Please enter manual start ip /24 : ")
start_list = ip_start.split(".")
ip_end = raw_input("Please enter manual end ip /24 : ")
end_list = ip_end.split(".")
top = int(start_list[3])
bot = int(end_list[3])